Bill would transform VA cybersecurity

The House Veterans' Affairs Committee has drafted legislation to accelerate improvements in information security at the beleaguered Veterans Affairs Department following the loss of sensitive data belonging to millions of veterans, reservists and active-duty service members.

The committee will mark up the proposed Veterans Identity and Credit Protection Act of 2006 on Thursday, with plans to send it to the House floor next week, said committee chairman Steve Buyer (R-Ind.).

The legislation would incorporate many of the changes in VA IT security that federal overseers and industry have recommended in several recent hearings following the data loss in May. The FBI and local law enforcement have since recovered the notebook PC and external hard drive and have indicated to VA that no data was accessed.

At the same time, the General Services Administration told the committee it has initiated a blanket purchase agreement specifically for credit monitoring services for federal agencies so they can respond to potential data compromise quickly and effectively.

GSA last week invited 21 contractors from its Financial and Business Services Schedule to compete for multiple blanket purchase agreements to provide three levels of credit monitoring depending upon the risk, said Jim Williams, commissioner for GSA's Federal Acquisition Service. Ordering agencies will be able to select the most appropriate level of credit monitoring services.

'Federal agencies do not have the luxury of time to embark upon a prolonged procurement process of their own,' he said.

Responses to the BPA request are due Monday. Besides credit monitoring, GSA expects contractors will provide applications to detect early signs of fraudulent activity and identity theft, services for reporting lost or stolen Social Security numbers to the three national credit bureaus, and for requests for fraud alerts and statements on all credit files.

GSA plans to make awards in August and expect several agencies to begin placing orders immediately, Williams said.

Lawmakers hope the legislation could be implemented quickly to prevent some of the situations that would require those credit monitoring services. VA should be able to implement the provisions of the bill within six months, said John Gauss, a former VA CIO and currently president of FGM Inc. of Reston, Va.

'You could use this as a model and move it out to other agencies as quickly as possible,' he told the committee.

When Gauss was CIO, he convinced the secretary to centralize the IT environment but it got dragged down in the department concurrence process, he said.

'I am an advocate of change, even if there is collateral damage in the beginning. Otherwise, the advocates of no change will drag this out. It's time to strike and strike fast,' Gauss said.

Among the VA cybersecurity bill proposals, it would make the department CIO also the undesecretary of information services, which would give the position a seat at the executive table with the other undersecretaries who lead VA's health, benefits and burial administrations.

The bill would also create the Office of the Undersecretary for Information Security, which would contain three deputy undersecretaries for operation and management, policy and planning, and security. The last undersecretary would also serve as the department's senior information security officer. It also details response to data breaches, risk analysis and notification and credit monitoring services for those affected.